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Introduction to these guidelines 


These guidelines are the Privacy Commissioner's view of how the Information Privacy Principles 
(IPPs) 1-3 in the Privacy Act affect federal government agencies. IPPs 1-3 are concerned with how 
government agencies collect personal information. These guidelines are not legally binding. 
They only describe how the law works. 


This is the first set of guidelines in a series to be published by the Privacy Commissioner. 
What do the IPPS do? 


There are eleven IPPs in the Privacy Act. Most federal government agencies that handle 
information about people must follow these IPPs. 


The IPPs do these things: 


e they regulate the way government agencies collect, store, use and disclose information about 
people; 

e they allow people access to information agencies keep about them; and 

e they allow people to request changes to this information. 


How to use these guidelines 


1 Use the quick reference guide to see which Information Privacy Principles apply to your 
collection 

2 Use the table of contents to help you find guidelines on topics that might be relevant 

3 Some of the words used in these guidelines have special meanings. Use the "Meanings of 
words" section to help explain words. 


Which Information Privacy Principles apply to me? 


More than one Privacy Principle, and more than one guideline, may be relevant to your collection. 


You should read ALL the guidelines that apply to your collection to make sure you have found all 
the relevant information. 


Where do I get more information? 


If you have any questions about the IPPs you can telephone the Privacy Commissioner's office 
toll-free on: the Privacy Hotline - 1300 363 992 


When do IPPs 1 - 3 apply? 
IPPs 1-3 apply when an agency collects personal information and intends to: 


e include the information in its records (in the form of documents, databases, audio tapes or 
pictures); or 
e publish the information in a generally available publication. 


Even if they do not intend to record or publish the information, agencies must not collect it unfairly 
or unlawfully. (see IPP 1.2) 


Which IPPs apply to collecting personal information? 


IPPs 1-3 only apply if an agency is collecting personal information. Which parts of IPPs 1-3 
apply depends on how the agency collects the personal information. 


There are three ways in which an agency can collect information about a person for including it in 
its records, or in a generally available publication: 


1 someone gives information to the agency about the person without the agency asking for it. 
(IPP 1 applies) 

2 the agency asks someone else (for example, another agency) for information about the 
person. (IPPs 1 and 3 apply) 

3 the agency directly asks a person for information about himself or herself (for example, it 
asks the person to fill in a form). (IPPs 1, 2, and 3 apply) 


Text and summary of IPPs 1-3 as set out in the Privacy Act 
Text of IPP 1 


1 Personal information shall not be collected by a collector for inclusion in a record or in a 
generally available publication unless: 


a) the information is collected for a purpose that is a lawful purpose directly related to a 
function or activity of the collector; and 
b) _ the collection of the information is necessary for or directly related to that purpose. 


2 Personal information shall not be collected by a collector by unlawful or unfair means. 


Summary of IPP 1 
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IPP 1 says that agencies can only collect personal information: 


e for a lawful purpose that is directly related to their functions; and 
e if collecting the information is necessary for or directly related to that purpose. 


Agencies must not collect personal information unlawfully or unfairly. 
Text of IPP 2 
Where : 


a) acollector collects personal information for inclusion in a record or in a generally available 
publication; and 
b) _ the information is solicited by the collector from the individual concerned; 


the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, 
before the information is collected or, if that is not practicable as soon as practicable after the 
information is collected, the individual concerned is generally 

aware of: 


c) the purpose for which the information is being collected; 

d) if the collection of the information is authorised or required by or under law - the fact that the 
collection of the information is so authorised or required; and 

e) any person to whom, or any body or agency to which, it is the collector's usual practice to 
disclose personal information of the kind collected; and (if known by the collector) any 
person to whom, or any body or agency to which, it is the usual practice of that first 
mentioned person, body or agency to pass on that information. 


Summary of IPP 2 


IPP 2 says that if an agency asks a person for personal information about himself or herself, it 
must normally tell the person: 


e why it is collecting the information 
e whether it has legal authority to collect the information; and 
e who it usually gives that sort of information to. 


Text of IPP 3 

Where: 

a)  acollector collects personal information for inclusion in a record or in a generally available 
publication; and 


b) _ the information is solicited by the collector; 


the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, 
having regard to the purpose for which the information is collected: 


(c) the information collected is relevant to that purpose and is up to date and complete; and 
(d) the collection of the information does not intrude to an unreasonable extent upon the personal 
affairs of the individual concerned. 


Summary of IPP 3 


IPP 3 says that when an agency asks for personal information, the agency must do its best to 
make sure that the information is: 


e relevant to the agency’s reason for collecting it; 
e up to date; and 


e complete 


It also says that when an agency gets personal information from people, it must do its best not 
intrude unreasonably on their personal affairs. 


Meanings of words 

The meanings used here are based on the definitions in section 6 of the Privacy Act. 
Agency 

Agencies are generally federal government organisations. These organisations include: 


e federal government departments 
e bodies and tribunals set up for a public purpose by federal government laws. 


State and local government organisations are not "agencies". 

Some types of organisations, even if set up by federal government laws, are not "agencies" These 
include: 

e incorporated companies 

e incorporated societies; and 

e incorporated associations. 

The IPPs legally bind most agencies. 


"Asking for" information 


An agency asks for (or 'solicits') personal information if it encourages other organisations or people 
to give it particular information. This includes: 


e asking directly for the information. For example, asking for information on a form 
e arranging for an organisation or a person to give it personal information regularly; or 
e encouraging people to give it information (for example, by setting up a hotline). 


Generally available publication 


Generally available publications include things like magazines, books, newspapers, annual reports, 
the Government Gazette and public databases like the Electoral Roll. 


Personal information 
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The Privacy Act (and these guidelines) only cover personal information. This is information or 
opinions that can identify a living person. 


A record 
A record is a: 


e document 
e database 
e aphotograph or picture of people. 


The Privacy Act lists a number of exceptions to this definition. For example, generally available 
publications are not "records". 


Information Privacy Principle 1 


What are the guidelines on IPP 1? 


Guideline 1 gives the text of IPP 1 

Guideline 2 defines the "purpose of collection" 

Guideline 3 defines "necessary for or directly related to" 
Guideline 4 describes some practices which may breach IPP 1.1 
Guideline 5 describes when a collection is against the law 
Guideline 6 _ tells you what collecting in an unfair way is 
Guideline 7 tells you how you can avoid collecting unfairly 
Guideline 8 _ briefly discusses secret optical surveillance 


1. What does IPP 1 say? 
The text of IPP 1 is: 


1) Personal information shall not be collected by a collector for inclusion in a record or in a 
generally available publication unless: 


a) the information is collected for a purpose that is a lawful purpose directly related to a 
function or activity of the collector; and 
b) _ the collection of the information is necessary for or directly related to that purpose. 
2) Personal information shall not be collected by a collector by unlawful or unfair means. 


Meaning of IPP 1 


IPP | sets up general principles for agencies collecting personal information. Collection should 
be relevant, lawful and fair. 


IPP 1.1 says that agencies can only collect information that is: 


° for a lawful purpose directly related to their functions; and 
° necessary for or directly related to that purpose. 


6 


IPP 1.2 says that an agency must not collect personal information in a way that is unlawful or 
unfair. 


2. What is the purpose of collection? 


When working out the purpose of collecting personal information, an agency should consider: 


° why it collects the information; 
° what its role is in relation to the person who the information was about; and 
° what a reasonable person would think its reason for collecting the information was. 


To protect people, the Privacy Commissioner usually interprets the purpose of collection narrowly. 
For example: The Privacy Commissioner normally does not accept the view that an agency 
collects personal information just to administer an agency or a set of laws. The purpose of 
collection should be more specific than this and it should relate to the current reason for collecting 
the information. 


Some purposes that the Privacy Commissioner would accept are: 


° allowing the agency to give someone a particular benefit or service; or 
e helping the agency to run a particular government program. 


Note, however, that an agency can only collect Tax File Numbers for limited purposes. Guideline 4 
tells you what these purposes are. 


3. When is collecting personal information necessary for or directly related to 
the purpose of collection? 


Collecting personal information is only necessary for or directly related to the purpose of 
collection if the information directly helps to achieve that purpose. Guideline 2 looks at what is 
meant by "purpose of collection". 

Agencies should have a clear purpose for collecting each piece of personal information. They 
should work this purpose out before collecting the information. Collecting information just because 


it may be useful in the future is generally not acceptable. 


Note that an agency can only collect Tax File Numbers for limited purposes. Guideline 4 tells you 
what these purposes are. 


4. Practices that may breach IPP 1.1 
The following practices may breach IPP 1.1. 
Asking for irrelevant information 


If an agency asks for background information which it doesn't have any particular use for, the 
agency is asking for irrelevant information. 


Some examples of getting irrelevant personal information are: 


e collecting information about a whole group of people when information is only needed about 
some people in the group; 


For example: An agency cannot ask all new employees for information relevant to security 
clearances when not all new employees need a security clearance. 


e collecting a broad range of information when only some information is relevant. 

For example: An agency needs to know information about a person's income to work out whether 
he or she can get a benefit. The agency does not need other financial information (such as 
information about assets). The agency should ask only for the information it needs, rather than 
asking the person to give information about all his or her finances. 


What if using information is against the law? 


An agency may not collect personal information for a purpose, if the law says it cannot use that 
information for that purpose. 


For example: The Spent Convictions Scheme prevents some types of old convictions from being 

considered by agencies. Therefore, agencies should not try to collect information about those 

convictions. 

Are there any exceptions? 

An agency can collect general intelligence information if: 

e collecting intelligence information is an important part of its job and collecting the information 
will help it to do that part of its job; or 

e if the law specifically authorises it to collect the information. 

Very few agencies have the job of collecting general intelligence. Examples of agencies which do 

collect general intelligence are the Australian Federal Police and the Australian Transaction Reports 


and Analysis Centre. 


Some agencies have specific legal powers which allow them to collect information about groups of 
people, even if they do not need the information about each person in the group. 


What should an agency do to avoid asking irrelevant questions? 


e Agencies should check forms and interview questions and work out how they are necessary for, 
or directly related to, the purpose of collection. 


e Agencies should generally only ask for information about relevant people - they should not ask 
for information about a whole group of people if they only need information about some 


members of the group. 


e Agencies should clearly tell their interviewers about IPPs 1-3, and the range of questions they 
can ask. Agencies can use training and instructions to do this. 


Unnecessarily recording a person’s identity 


8 


Agencies should only record information in a way that identifies people if they need to. 
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For example: An agency is surveying people who used to receive a government benefit. The 
agency only needs figures about how many people now have different jobs. The agency should not 
record the names or other identifying details about the people. 


Unnecessary recording of information 


Sometimes, agency staff get personal information that is not necessary for or related to any 
purpose of the agency. This includes: 


e when people send information to the agency without the agency asking for it; or 
e when an agency asks for some information, but people give it more information than it asked 
for. 


As soon as practical after it receives personal information, an agency should decide whether it is 
relevant to what the agency does. If information is not relevant, the agency should not keep it in its 
records. 


For example: An agency needs limited information from a person's passport, and asks to see the 
passport to confirm the person's identity. If the agency makes and keeps a copy of the whole 
passport, it may be in breach of IPP 1. 


What should agencies do to avoid unnecessary collection of personal information? 
Instead of keeping full copies of documents that people give it, an agency should think about: 


e noting the information needed from a document, then returning the document; 

e blanking out irrelevant parts of the document when copying it; or 

e if using a document to identify someone, officers could note that they have seen the document, 
rather than keep a copy. 


If an agency often receives information it does not need and which it has not asked for, the agency 
should try to stop this happening. 


For example: An agency often asks doctors for limited medical information about people. 
Doctors often give the agency extra information which it does not need. The agency should make 
sure it explains exactly what information it wants, and tell doctors not to give extra information that 
the agency has not asked for. 


What is the rule about Tax File Numbers? 


There are special rules about collecting Tax File Numbers (TFNs). An agency can only collect 
TENs: 


e to help it administer tax laws; or 
e for some special purposes under assistance agency law. 


If someone gives an agency a document with a TFN on it for some other purpose, the agency must 
allow the person to remove the TEN. If the person does not remove the TEN, the agency must 
remove the TFN before adding the document to its records. 
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For more information on TENs, see the Privacy Commissioner's Tax File Number Guidelines in the 
Federal Privacy Handbook. 


if 
5. What collections are against the law? 


IPP 1.2 says that no-one can collect personal information in illegal ways. Collecting personal 
information could be illegal if: 


e an agency commits a criminal offence under State or Federal law by collecting it; or 
e an agency could be sued for something it does in collecting it (for example, for trespass). 


For example: If the law does not specifically allow the following collections, they might be against 
the law: 


- intercepting telephone calls and using listening devices; 
- collecting details by trespassing onto property; or 
- interfering with mail. 


It may also be illegal if an agency collects information that it does not have the power to collect 
under the laws that let it collect. 


6. What is collecting in an unfair way? 
IPP 1.2 says that no-one can collect personal information in ways that are unfair. 


It is difficult to define unfairness. Below are some examples of collection practices that may be 
unfair because they involve: 


e tricking the person giving the information; or 
e using too much pressure. 


Tricking or misleading the person giving the information 


An agency is likely to breach IPP 1.2 if it tricks or misleads the person from whom it collects 
personal information. In particular, the agency is likely to breach IPP 1.2 if, because of its 
collection practice, the agency gets information that the person would not otherwise have given to 
it. 


Here are some examples of these collection practices. Some of these collection practices could also 
be against the law. 


Misleading people about who is collecting the information 


It may be unfair for an agency to mislead people about who is collecting personal information, or 
why the information is being collected. 


For example: An agency representative asks a third party for information about a person. The 
representative does not say that he or she works for the agency, but pretends to be a friend or 
colleague of that person. 


When an agency collects personal information from a third party, the agency should be careful 
about what it tells the third party to avoid giving information away. However, agency staff should 
usually say what agency they are from. 


Misleading people about the confidentiality of information 
It may be unfair for agencies collecting personal information: 


e to tell people that they will keep the information confidential if they will not; or 
e to mislead people about who they might give the information to. 


Agencies should not tell people that personal information will be kept confidential if they 
sometimes give the information to others. 


Misleading people about the benefits they get for giving information 


It may be unfair for an agency to mislead people about benefits they will get for giving personal 
information. 


For example: An agency places newspaper ads asking for certain people to contact it. It states 
wrongly that people who answer the ad will learn something to their advantage. 


Making false claims about the consequences of not giving information 


It may be unfair for an agency to try to collect personal information by misleading people about 
things that will happen to them if they don't give the information. 


For example: 


e An agency tells a person that he or she may be prosecuted if they do not give certain 
information, when the person could not be prosecuted. 

e An agency says on a form that a person has to give certain information to get a benefit; but does 
not say that some people do not have to give the information in certain circumstances. 


Collecting voluntary information as if it was compulsory 


It may be unfair for an agency collecting personal information from people to tell them they have 
to give the information when they do not have to. 


For example: 


e An agency conducts a survey. Taking part in the survey is voluntary, but the agency tells a 
person that the law says they have to take part. 

e An agency gives a person a form to fill in. The person has to answer some of the questions, but 
the rest are voluntary. The form does not make this distinction. It says: The law says you have 
to give information required by this form; but does not say this does not apply to all the 
information asked for. 


Using too much pressure 


It may be unfair for an agency to use too much pressure on a person or organisation when it asks 
for personal information, especially if this reduces someone's choice of what information to give. 


Some examples of practices which could use too much pressure are: 
e visiting people's homes at unreasonable hours; 

e asking a person many times for details; 

e interviewers insulting or intimidating people; 


e asking for information in ways that might unnecessarily embarrass a person. 


IPP 3 prevents collecting personal information in an unreasonably intrusive way. Guideline 21 
tells you how an agency can avoid collecting information in an intrusive way. 


7. How to avoid collecting unfairly 

There are several things agencies could do to avoid unfair collection. 

Giving people full information about the collection 

Collectors should tell the person giving the personal information: 

e who is collecting the information (if this is not obvious from the circumstances); 

e why they are collecting the information (so long as this does not involve mentioning information 
about someone else illegally); 

e whether the information is likely to be passed on to others; and 

e what things might happen (good or bad) if the person does or does not give the information. 

Agencies can avoid misunderstandings if they clearly tell a person these things. 

If a form asks for information that the person must give, and also information that the person does 

not have to give, it may be useful to put voluntary and compulsory information in separate parts of 

the form. 

Do not put too much pressure on people 

Agencies should collect personal information in a way that does not put undue pressure on the 

person giving the information. See also Guideline 22 about how IPP 1.2 applies to law enforcement 


organisations when they collect information. When an agency interviews someone, it should try to 
tell the person about the interview in advance and conduct it in a private place. 


8. Using secret visual surveillance like videos, camera etc 
Using secret visual surveillance is a great intrusion on the privacy of the people being watched. 
The Privacy Commissioner has issued voluntary guidelines for The Conduct of Covert Optical 


Surveillance in Commonwealth Administration. Agencies which use secret visual surveillance 
should refer to the guidelines in the Federal Privacy Handbook. 
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What is in the guidelines about secret visual surveillance? 
The guidelines about covert surveillance: 


e suggest procedures for agencies to use when they conduct secret visual surveillance; and 
e recommend specific procedures for agencies to use when using surveillance on people claiming 
compensation. 


The procedures in the guidelines about covert surveillance are designed to make sure that: 


e only relevant personal information is recorded; and 
e the method of collection is not against the law or unfair. 


They also cover other relevant requirements of the IPPs, including those about security of personal 
information, and using and disclosing personal information. 


The guidelines are not meant for law enforcement or security organisations, because they have their 
own strict internal instructions on using surveillance. 


Information Privacy Principle 2 


What are the guidelines on IPP 2? 


Guideline 9 gives the text of IPP 2 

Guideline 10 — explains the circumstances where you have to give people an IPP 2 notice 
Guideline 11 _ tells you at what time you have to notify people 

Guideline 12 _ sets out what should be in an IPP 2 notice 

Guideline 13 _ tells you about third parties 

Guideline 14 __ tells you what form the notification takes 

Guideline 15 says what an agency should do to make sure staff comply with IPP 2 
Guideline 16 —_ gives some sample IPP 2 notices 


9. What does IPP 2 say? 
This is the text of IPP 2. 
Where : 


a) acollector collects personal information for inclusion in a record or in a generally available 
publication; and 
b) _ the information is solicited by the collector from the individual concerned; 


the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, 
before the information is collected or, if that is not practicable as soon as practicable after the 
information is collected, the individual concerned is generally aware of: 


c) the purpose for which the information is being collected; 
d) _ if the collection of the information is authorised or required by or under law - the fact that the 
collection of the information is so authorised or required; and 
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e) any person to whom, or any body or agency to which, it is the collector's usual practice to 
disclose personal information of the kind collected; and (if known by the collector) any 
person to whom, or any body or agency to which, it is the usual practice of that first 
mentioned person, body or agency to pass on that information. 


10. In what circumstances does an agency have to notify a person? 


When an agency asks for personal information directly from the person who that information is 
about, it has to take whatever steps are reasonable to make sure the person is aware of these details: 


° why the agency is collecting the information 
° the agency’s legal authority (if any) to collect the information; and 
° to whom the agency usually gives that kind of information. 


These details are explained in Guideline 12. 

To make sure a person is generally aware of the details, the agency needs to ensure that: 

e the details are given to the person, unless the agency has good reason to believe that the person 
already knows them; 

e the details are given in a way that the person can understand; and 

e the person can easily find the details. 


In almost all cases the agency will have to give the details to the person. 


If an agency collects personal information without giving the IPP 2 details, the agency must have 
a good reason for considering that: 


e it could not reasonably be expected to give the details; or 
e it does not need to give the person the details. 


Are there any exceptions? 


An agency does not have to give details if giving the details would defeat the purpose of collecting 
the personal information. 


It is unlikely that: 


e the practical difficulty; or 
e the cost; 


of giving the details required by IPP 2 are good enough reasons for not giving the details. 
If these problems arise, the agency should instead try the following: 


e change the way in which the details are given; or 
e if it cannot be avoided, give the details at another time. 


See Guideline 14 for a list of ways an agency can give people the details. 
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11. When does an agency have to notify a person? 
If an agency can take reasonable steps to make sure that a person is aware of the matters set out in 
IPP 2, then the agency must take those steps before collecting personal information from that 
person, or as soon as practicable afterwards. For example, as a general rule, all forms which are 
used to collect personal information should include an IPP 2 notice. 
The agency should provide the IPP 2 details as early as possible for each request for personal 
information it makes. Because the agency has to communicate with the person concerned to 
collect information, there is usually a suitable chance to give the details. 
See Guideline 14 for a list of ways an agency can give people details. 


Can an agency give the details after collecting the information? 


An agency should only put off giving IPP 2 details if there are practical problems in giving the 
details before collecting the information that the agency cannot overcome by any reasonable means. 


If this happens, the agency must take steps to give the IPP 2 details as soon as it can after collecting 
the information. 


12. General contents of IPP 2 notices 


IPP 2 notices have to contain information about: 


° why the agency is collecting the information; 
° the agency’s legal authority (if any) to collect the information; and 
° to whom the agency usually gives that kind of information. 


Agencies should write IPP 2 notices according to each particular collection of personal 
information. It is usually not suitable for an agency to use the same IPP 2 notice for all collections 
of information directly from a person. Usually, what is in the IPP 2 notice should vary depending 
on what sort of information is collected, why it is collected, and to whom it is usually given. 


What to include in an IPP 2 notice 


The following sections set out what to include in IPP 2 notices. Examples of IPP 2 notices are 
given in Guideline 16. 


IPP 2(c): Why the agency is collecting the personal information 

Does an agency only have to tell a person the main reason for collecting the information? 
Normally, the purpose of collection depends on the reason the agency is collecting the personal 
information at the time it collects the information. However, sometimes the agency knows the 
information will also be used for other purposes. If so, the agency should normally tell the person 


about the other uses when it collects the information. 


Can the title of the form be enough to give the purpose? 
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If an agency uses a title on its forms that reasonably explains the purpose of collection, it does not 
have to give any more details about its purpose (though it would still have to give the other details 
mentioned in IPP 2). 


However, the agency cannot later argue that the collection had a wider purpose than the title 
suggests. 


Titles on forms should not be misleading. 
Can the information be used for other purposes? 


Under IPP 10, agencies are not allowed to use information for purposes other than the purpose for 
which they collected the information, unless certain exceptions apply. 


IPP 2(d): The agency’s legal authority to collect the personal information 
An IPP 2 notice should refer to each provision of legislation which: 


e requires an agency to collect the personal information; or 
e specifically authorises an agency to collect the information. 


If legislation does not refer to a specific power, but only gives the agency a general function which 
includes collecting personal information, the IPP 2 notice should still refer to the legislation. 


IPP 2(e): Who the agency usually gives the kind of personal information collected to 


An agency should try to give a person it collects personal information from a full and clear picture 
of whom the information is likely to be given to. 


IPP 2(e) says that when an agency asks a person for personal information, it must normally tell 
that person about any third parties which it usually discloses that kind of information to. 


Guideline 13 explains when information is "usually disclosed" to a third party, and how specifically 
third parties must be identified. 


Also, if the agency knows that any of these third parties usually gives the personal information to 
other parties, it should normally tell the person this. 


If only some information is usually given to a third party, what should the IPP 2 notice say? 


If only some of the personal information collected is usually given to a third party, the IPP 2 notice 
should, if practical, show what information is given. This can be expressed generally. 


For example: An IPP 2 notice might say that Identifying information collected on this form is 
usually given to the Department of ... This would cover information such as name, address, 
telephone number, date of birth and so on. 
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Does an agency have to find out to whom third parties give information? 


Where an agency gives a third party personal information, it does not have to actively do anything 
to find out who those third parties usually give that information to. 


But if the agency knows who the third party usually gives the personal information to, it must do 
what is reasonable to make sure the person it collects the information from knows this. Normally, 
this means that any IPP 2 notice should say who the third party gives the information to. 


Does the IPP 2 notice affect giving information to others? 


What an agency says about its usual disclosure practices in its IPP 2 notice when it collects the 
information can affect whether the agency can later give the information to others. 


IPP 11.1(a) says that an agency can give information about a person to a third party if that person is 
reasonably likely to be aware, or to have been made aware under IPP 2, that the relevant information 
would usually be given to that third party. 


If an agency tells a person when it collects personal information that it usually gives such 
information to a particular person or body, IPP 11.1(a) allows it to give the details to the person or 
body. But if the agency does not tell the person this, it may not be allowed to give the information 


unless the conditions in IPP 11.1 are met in another way. 


See also Guideline 13 below ("Giving information to third parties"). 
13. Giving personal information to third parties 


Information is usually given to another party by an agency if the agency has a regular arrangement 
to give information to that party. 


Giving information to a third party 


This includes This does not include: 


a regular arrangement to give all of giving information only in 
some type of personal exceptional cases; or 
information to a third party 


giving information in cases that 
giving only a small amount of could not be reasonably predicted 
information under a set when the agency collected the 
arrangement, if the possibility of information. 
giving the information could be 
reasonably predicted when the For example: giving information to 
agency collected the information the police in response to a search 
warrant, or a court in response to a 
subpoena would not normally be 
considered as case where 
information is usually given. 


How specifically does an agency have to identify third parties? 


If possible, an agency should name each individual person or body to which it usually gives 
personal information. But if an agency can give information to a large number of third parties, 
naming all of them could make the notice given to a person too long or unclear to be of help. 


Guideline 12 tells you what an agency has to do to find out whom third parties give information to. 
Suggestions 


e Agencies should generally name all federal organisations which they usually give personal 
information to. 


e Generally, agencies should name other parties which they usually give personal information 
to. However, if an agency usually gives personal information to a group of organisations that 
do similar jobs (for example, State police forces), the agency can name the group rather than 
listing its individual members. It is recommended, however, that the notice show why the 
information is given (at least, in broad terms). This helps a person giving information to work 
out the specific member or members of the group to which the agency is likely to give the 
information. 


For example: If a person is told that information is usually given to educational institutions, 
and is aware of why the information is given, the person can probably work out what the 
relevant educational institution is in his or her case. 

e If itis impractical to put the names of all the third parties that the agency gives information to 


on the form, the agency could give a leaflet with the form containing the IPP 2 notice. 
Guideline 14 tells you how to do this. 


14. Form of Notice 
What form does an agency have to give the notice in? 


There is no particular form for an IPP 2 notice. An agency can give the notice in any way as long as 
it makes the person aware of the relevant details. 


The most suitable way to give the IPP 2 notice depends on: 


e how the information is collected; and 
e how many details the agency has to give the person. 


The sections below give some comments on several ways that agencies have given IPP 2 notices in 
the past. 


Notices on forms 
If the agency collects personal information by asking the person to fill in a form, the IPP 2 notice 
can be printed on the form. This is usually the best way of giving IPP 2 details when an agency 


uses a form to collect personal information. 


Recommendations 
The notice should not be hard to find or read. This means it should not be: 
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e away from the area that the person fills in; or 
e in smaller type that is difficult to read. 


Leaflet given with the form 


If the agency cannot easily include the whole IPP 2 notice on a form, the agency can put it ina 
leaflet given to the person with the form. 


Recommendations 

e The agency should give the leaflet to people with the form. It is not normally acceptable to give 
the leaflet to people only if they ask for it. 

e The form should include as many of the IPP 2 details as possible 

e The form should refer the person to the notice in the leaflet, and say that the leaflet is about 
privacy. 

e An agency can include notices for more than one form in any leaflet. 


Giving a written notice at interview 


If the agency collects the personal information at an interview, the agency can give the person a 
written IPP 2 notice at the interview. 


Recommendations 

e The agency should give the person the notice at the start of the interview. 

e The interviewer should explain to the person what is in the notice; and can ask the person to 
read the notice before continuing with the interview. 

e The interviewer should try to answer any questions the person has about the notice before the 
interview continues. 


Telling people orally 


Sometimes the most practical way of giving people IPP 2 notices is to tell them orally; for example, 
if the agency is collecting personal information from a person over the telephone. 


Recommendations 

e The words that the interviewer uses to give the IPP 2 notice should be written down and 
included in staff instructions. 

e The interviewer should give the person the IPP 2 notice before starting the interview. 

e The interviewer should take care to explain the notice clearly. 

e The interviewer should ask the person if they have understood the notice, and if they would like 
any part of the notice repeated. 

e If possible, the agency should also send the person the notice in written form. 


15. How to make sure staff follow IPP 2 
Agencies must make sure their staff comply with IPP 2. Some ways that agencies can do this are: 
e Training staff who design forms in privacy requirements. 


e Referring new forms for personal information collection to staff who deal with privacy 
matters. These staff can make sure suitable IPP 2 notices are included if needed. 
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e Including detailed instructions on complying with IPP 2 in manuals for staff who collect 
personal information through interviews. Where IPP 2 notices are given orally, the agency 
should give staff the exact text of the IPP 2 notice in writing. 

e Including details about IPP 2 in training programs, especially for staff whose jobs include 
collecting personal information direct from the subject. 


Should an agency review IPP 2 notices? 


An agency should review IPP 2 notices whenever it reviews the forms that contain them, to make 
sure the notices are still adequate and accurate. 


If an agency revises manuals or other documents telling staff about how to give IPP 2 notices 
(including oral notices), the agency should check that the instructions are still adequate and 
accurate. 


If an IPP 2 notice on a form becomes inaccurate (for example, because an agency changes its 
disclosure practices), it may be reasonable for the agency to use up its existing stocks of the form, 
as long as the IPP 2 notice is not seriously misleading. The IPP 2 notice should of course be 
updated when the form is reprinted. 


If the agency does not intend to reprint the form in the near future, it should consider making the 


form accurate (for example, by making a stick-on label to attach to the form with an accurate IPP 2 
notice on it). 


16. Examples of IPP 2 notices 

Agencies do not have to use any particular wording for IPP 2 notices. This section gives some 
suggestions about how agencies can write IPP 2 notices, and gives some models that agencies can 
use if they wish. 


Basic IPP 2 notices 


A suggested wording for simple IPP 2 notices is: 


[Name of agency] is collecting the information on this form to [statement of purpose]. This is 
[authorised/required] by [provision/name of Act]. 


[Name of agency] usually gives some or all of this information to [names of recipients]. 


The decision whether to use "authorised" or "required" in the second line of this wording would 
depend on whether the law requires, or merely permits, the agency to collect the personal 
information. "Required" is only appropriate in the rare case where the agency has no choice in 
whether or not it collects the information. 


The following are sample IPP 2 notices using the basic wording: 


Example 1: Grant application 
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The Federal Grants Board is collecting the information on this form to work out the amount of 
assistance you can get under the grants program. This is authorised by section 21 of the Grants 
Program Act 1992. 


The Federal Grants Board usually gives identifying information from this form to State Government 
organisations which run grants programs. 


Example 2: Health Survey Form 


The Bureau of Health Research is collecting the information on this form to conduct research into 
public health. This is authorised by the Health Services Act 1990. 


The Bureau of Health Research usually gives some or all of this information to the Commonwealth 
Department of Health. 


More complex IPP 2 notices 
Sometimes an agency has to give a longer or more complicated IPP 2 notice - for example, because: 


e the agency has more than one purpose for collecting personal information; 

e it gives the personal information to a lot of other parties; or 

e it may know that some of the parties it gives personal information to pass that information on 
to further bodies. 


The following are two examples of more complex IPP 2 notices. They follow the suggested format 
for simple notices, but include extra details. 


Example 3: Benefit application 


The Department of Social Security is collecting the information on this form to work out if you can 
claim a Disability Allowance, and for managing payment of the Allowance if it is awarded. This is 
authorised by the Social Security Act 1991. 


The Department of Social Security usually gives some or all of this information to: 


e the Australian Taxation Office; 
e the Department of Veterans’ Affairs; and 
e the Department of Community Services. 


The Department of Community Services usually gives some of the information to State 
organisations responsible for health services. 


Example 4: Personnel Information 
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The Public Works Department is collecting the information on this form to manage your 
employment with the Department. This is authorised by the Public Employment Act 1917. 
The Public Works Department usually gives some or all of this information to: 


e the Department of Finance; and 
e the Australian Taxation Office. 


If a different Commonwealth agency employs you in the future, this Department usually gives 
information from this form to the new employer 


Information Privacy Principle 3 


What is in these guidelines? 


Guideline 17 _ gives the text of IPP 3 

Guideline 18 — shows how IPP 3 relates to IPPs 7 and 8 

Guideline 19 _ tells you what information is relevant, up to date and complete 

Guideline 20 __ tells you how to only collect information that is relevant, up to date and complete 
Guideline 21 __ tells you when a collection is intrusive 

Guideline 22 _ talks about collecting information for law enforcement 


17. What does IPP 3 say? 
This is the text of IPP 3: 


Where: 


a)  acollector collects personal information for inclusion in a record or in a generally available 
publication; and 
b) _ the information is solicited by the collector; 


the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, 
having regard to the purpose for which the information is collected: 


c) the information collected is relevant to that purpose and is up to date and complete; and 
d) the collection of the information does not intrude to an unreasonable extent upon the personal 
affairs of the individual concerned. 


Meaning of IPP 3 

IPP 3 says that an agency asking for personal information must: 

e take reasonable steps to make sure that the information it collects is relevant, up to date and 
complete (see IPP 3(c)); and 


e take reasonable steps to make sure that it does not collect information in an unreasonably 
intrusive way (see IPP 3(d)). 


18. How does IPP 3 relate to IPPs 7 and 8? 


IPP 3 says that an agency should take whatever steps are reasonable to make sure that personal 
information it asks for is relevant, up to date and complete. 
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Even though IPP 3 does not say agencies have to make sure that personal information they ask for 
is accurate, they should be careful. IPPs 7 and 8 say that agencies have to take reasonable steps to 
make sure that information they use, or hold in their records, is accurate. 


Keeping records of personal information (IPP 7) 


IPP 7 says that an agency should take whatever steps are reasonable to keep personal information 
in its records relevant, up to date, complete, accurate, and not misleading. 


Using personal information (IPP 8) 


IPP 8 says that an agency should only use personal information after it has taken whatever steps 
are reasonable to make sure it is accurate, up to date, and complete. The most complaints to the 
Privacy Commissioner are about agencies using personal information that they did not make sure 
was accurate. 


19. How can I tell if personal information is relevant, up to date and complete? 


An agency should have a specific purpose for collecting personal information. Information is 
only relevant if it helps the agency to achieve that purpose. 


What information is relevant? 
Information must have a specific purpose to be relevant 


Usually, information is only relevant if the agency has a use for it at the time the agency collects it. 
An agency should not collect information just because it might be useful in the future. 


A few agencies (for example, law enforcement agencies) gather general intelligence information. 
These agencies can ask for personal information even if they do not have an immediate use for it, 
if the information is relevant to their intelligence function. 


To comply with IPP 3 an agency should only ask for personal information that will help it to 
achieve its purpose of collection. 


This is similar in practice to the requirement under IPP 1| that agencies can only collect personal 
information that is necessary for or directly related to the purpose of collection. 


The following practices may breach IPP 3: 


e asking for irrelevant personal information (for example, by asking for information without a 
specific purpose) 

e asking for information that it would be against the law to use 

e asking a group of people for personal information when the agency only needs information 
about some of them 

e unnecessarily recording information in a way that identifies the people it is about. 


These practices are discussed in more detail in Guideline 4. 
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What information is up to date? 


Agencies must take reasonable steps to make sure that the personal information they ask for is up 
to date. This depends partly upon the purpose that the agency will use the information for. 
Information may become inaccurate as time passes. Some types of information are more likely to 
go out of date than others. 


For example: Information about a person's family circumstances or income is likely to change over 
time, while information about his or her date of birth will not change. 


What information is complete? 


Complete information gives a true picture of the facts and helps agencies to make correct decisions 
(for example, when providing benefits or services to people). Incomplete information is likely to 
mislead people. 


For example: Police charge a person with a criminal offence. The person is found not guilty. If, 
after that, an agency only records that the person was charged, then its information is incomplete 
because people might think that the person is a criminal. If the agency records that the person was 
charged and that they were found not guilty, then its information is complete. 


20. How can agencies make sure that they only collect personal information 
that is relevant, up to date and complete? 


This guideline discusses ways that agencies can make sure that they only collect personal 
information that is relevant, up to date and complete; and so comply with IPP 3(c). 
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How can agencies make sure that they only ask for relevant information? 


Personal information that an agency asks individuals or organisations for must relate to the 
agency’s reason for asking. 


An agency must make sure that its forms, interview methods, arrangements to regularly collect 
personal information from other organisations, and other ways of regularly collecting information, 
result in the agency collecting only relevant information. 


Agencies sometimes arrange to collect personal information regularly from other organisations. If 
an agency starts or revises this sort of arrangement, then for each type of information it should: 


e identify how that information helps achieve the purpose of collecting it; and 
e ask “Can we achieve our purpose without this information?” 


Otherwise, the agency may breach the IPPs. 


When an agency designs or revises its forms or interview questions, it should identify how the 
personal information it asks for helps it achieve its purpose for collecting the information. 


An agency must tell its staff how the IPPs limit the questions that they can ask. An agency can do 
this by training them or giving them written guidelines. 


An agency must design its forms and interview questions so that they only ask for personal 
information that it needs. It can do this by asking trigger questions. This makes sure that people 
do not give an agency more information than it needs. 


For example: An agency wants to use the same form for assessing applications for a benefit from 
sole parents and people with disabilities. The agency decides that to assess these applications, it 
needs to know the marital status of sole parents but not that of people with disabilities. 


The agency should design its form like this: 


Are you applying for this benefit because you have a disability? 
(if yes - go to question 4; if no - go to question 2) 


Are you applying for this pension because you are a sole parent? 
(if yes - go to question 3; if no - go to question 4) 


Are you: 

- married 

- divorced? 

- single? 

- living in a de facto relationship? 


Are there any other reasons why you are applying for this benefit? 


How can agencies make sure that their information is up to date and complete? 


An agency should consider checking the personal information it collects to make sure that it is up 
to date and complete, especially if it thinks that it may be unreliable (for example, if it comes from 
an unreliable source, or it is not current). 
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An agency can check personal information by asking the person involved. The Privacy 
Commissioner especially recommends this when the information puts a person in bad light or 
disadvantages them. The person may have extra information that puts the agency’s information 
into a different light. 


If personal information is likely to go out of date (for example, addresses), agencies should record 
the date when they collect the information. This will help them decide later if they need to check 
the information before they use it (so that they do not breach IPP 8). 


21. When isa collection intrusive? 


When agencies collect personal information, they sometimes have to intrude into people's 
personal affairs. However, IPP 3(d) says that agencies must do their best to make sure that this 
intrusion is reasonable. 


When is collecting personal information intrusive? 
Collecting personal information will be intrusive if it involves: 


e asking questions about sensitive personal affairs 

e ways of collecting personal information that require physically touching people, observing 
their bodily functions, or that invade their private property 

e repeatedly and unnecessarily asking for the same personal information. 


Some ways that a collection could be intrusive are listed below. 


An agency should think carefully before it uses an intrusive method of collecting personal 
information. It should decide whether or not to use an intrusive method of collecting information 
based on the importance of its purpose of collection and other circumstances. 


IPP 1 also covers collecting personal information unfairly. Guidelines 6 and 7 tell you how an 
agency can avoid collecting unfairly. 


What personal information is sensitive ? 


The sensitivity of personal information varies. An agency can work out how private personal 
information is likely to be by considering matters like: 


e is this information available to the public? 
e what codes of confidentiality bind professions that use this sort of information? 
e does the person who gives the information think that it is sensitive? 


Sensitive personal information may include information about a person's: 


medical history 
relationships 
sexual preferences 
personal finances 
political loyalty 
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e religious or philosophical beliefs. 
What ways of collecting personal information are unreasonably intrusive? 


Agencies are likely to intrude unreasonably on people's privacy if the personal information they 
try to collect is irrelevant or unnecessary. If the information is irrelevant or unnecessary, even a 
minor intrusion may be unreasonable (and the agencies risk breaching IPPs | and 3). 


Whether an intrusive method of collecting personal information is likely to be reasonable depends 
on things like: 


whether the information is important to the agency’s purpose of collection 

the importance of, and public interest in, the agency’s purpose of collection 

the extent to which the agency intrudes on a person's privacy to collect the information 
whether the law specifically authorises the agency to use that method of collecting information 
whether people have a free choice in whether or not to provide the information - if they do it is 
much less likely to be unreasonably intrusive. 


22. Collecting personal information for law enforcement 


Law enforcement agencies such as the Australian Federal Police have their own guidelines on 
collecting, recording and using personal information. Their role is important to the public interest 
and they have special needs to gather intelligence information, so they have more freedom than 
other agencies when collecting information. 


A law enforcement agency doesn't always have to know exactly what it will use personal 
information for when it collects it. It can collect personal information that is generally related to 
intelligence purposes, not just a specific purpose. However, it must have good grounds for 
believing that this kind of information will help it. 


The Privacy Commissioner generally accepts that practices which comply with the internal rules of 
a law enforcement agency also comply with IPP 3, although the Commissioner reserves the right to 
find that a law enforcement agency’s rules about collecting information are unlawful or unfair. The 
Privacy Commissioner chooses to follow the decisions of courts about the information collection 
practices of law enforcement agencies. 


